Commit graph

6206 commits

Author SHA1 Message Date
David Horstmann
bf95e9a058 Reword description and change NUL to null
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-01 15:33:15 +01:00
David Horstmann
017139751a Change behaviour away from NUL-terminated strings
Instead, require the length of the string to be passed. This is more
useful for our use-case, as it is likely we will parse OIDs from the
middle of strings.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-01 15:04:20 +01:00
David Horstmann
d1a203a382 Cosmetic fixes to doxygen comment
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-01 15:02:15 +01:00
valerio
64e0184a39 psa_util: add support for rfc8410's OIDs
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-06-01 11:06:40 +02:00
Manuel Pégourié-Gonnard
7b1136836c
Merge pull request #7438 from valeriosetti/issue7074
Avoid parse/unparse private ECC keys in PK with USE_PSA when !ECP_C
2023-06-01 10:06:45 +02:00
Gilles Peskine
a1b416670e
Merge pull request #7547 from silabs-Kusumit/PBKDF2_input_validation
PBKDF2: Input Validation
2023-06-01 10:05:34 +02:00
David Horstmann
b97b689832 Reword function description slightly
Use of the term "dotted-decimal" improves clarity. Put a full-stop where
one should have been.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-05-31 14:42:00 +01:00
Kusumit Ghoderao
b20f13a41b Change input cost type to uint64_t and fix max iteration test case
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-31 12:51:02 +05:30
Kusumit Ghoderao
10cc6bda1c Add PSA_ALG_PBKDF2_HMAC_GET_HASH macro
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-24 12:35:14 +05:30
Kusumit Ghoderao
e66a8ad8d6 Define PSA_VENDOR_PBKDF2_MAX_ITERATIONS
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-24 12:30:43 +05:30
Kusumit Ghoderao
52fe517a77 Change pbkdf2 password to array
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-24 12:28:46 +05:30
Dave Rodgman
b2e551d347
Merge pull request #6943 from ucko/2023b-platform 2023-05-23 18:37:54 +01:00
Valerio Setti
7ef8a8d0da pk: improve description for the new priv_id field
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-23 18:39:54 +02:00
Manuel Pégourié-Gonnard
9dc9204b77
Merge pull request #7554 from valeriosetti/issue7073-reshape
Avoid parse/unparse public ECC keys in PK with USE_PSA when !ECP_C
2023-05-23 15:08:45 +02:00
Aditya Deshpande
2f1ae5a86e Modify TFM files to allow them to build on baremetal with Mbed TLS and fix code style.
Also change the include path of crypto_spe.h in crypto_platform.h to allow the former file to be included in library-only builds.

Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-05-23 15:40:11 +08:00
Valerio Setti
016264b6cb pk: fix a return value and a typo in comment
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-22 18:40:35 +02:00
Gilles Peskine
50729eac74
Merge pull request #7611 from yanrayw/7609_tweak_build_info_include_order
build_info.h: fix mutual implications with config_psa.h temporarily
2023-05-22 17:49:55 +02:00
Yanray Wang
37db332658 build_info.h: rewrite comment
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-22 16:50:39 +08:00
Aaron M. Ucko
5e4a01bff5 mbedtls/platform.h: Avoid potential macro redefinition warnings.
Some identifiers (e.g. mbedtls_free) can name either functions or
macros depending on configuration settings.  For those that turn out
to name macros, first clear out any existing macro definitions to
accommodate possible unconditional bulk symbol renaming.  (There
remains no standard provision for such renaming, but it's nevertheless
straightforward enough to do as desired, particularly with this change
in place.)

Signed-off-by: Aaron M. Ucko <ucko@ncbi.nlm.nih.gov>
2023-05-19 10:50:06 -04:00
Valerio Setti
f57007dd1e pk: fixing and improving comments
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-19 13:54:39 +02:00
Paul Elliott
9a11f8a122
Merge pull request #7573 from tom-cosgrove-arm/add-psa_want_alg_some_pake
Only include psa_pake_setup() and friends if some PAKE algorithms are required
2023-05-18 09:59:52 +01:00
Andrzej Kurek
1bc7df2540 Add documentation and a changelog entry
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-17 15:23:56 -04:00
Paul Elliott
8203f2d89f
Merge pull request #7535 from minosgalanakis/ecp/7264_enable_core_shift_l
[Bignum] Adjust mbedtls_mpi_core_shift_l to use the core function
2023-05-17 18:45:44 +01:00
Valerio Setti
c1541cb3c7 pk: minor fixes (guards and a wrong assignment)
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-17 19:23:02 +02:00
Andrzej Kurek
67fdb3307d Add a possibility to write subject alt names in a certificate
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-17 11:45:36 -04:00
Andrzej Kurek
1a75269589 Move mbedtls_x509_san_list to x509.h
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-17 11:45:36 -04:00
Valerio Setti
92c3f36866 test_suite_debug: fix USE_PSA_INIT/DONE guards in a test
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-17 15:38:34 +02:00
Valerio Setti
722f8f7472 pk: adding a new field to store the public key in raw format
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-17 15:31:21 +02:00
Manuel Pégourié-Gonnard
b1c0afe484
Merge pull request #7595 from valeriosetti/deprecate_pk_ec
Set mbedtls_pk_ec() as internal function when ECP_C is not defined
2023-05-17 12:27:03 +02:00
Yanray Wang
419a55e929 build_info.h: rewrite comment for inclusion of config_psa.h
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-17 18:22:34 +08:00
Yanray Wang
6397673cb8 build_info.h: change location of including config_psa.h
In build_info.h, some macros are defined based on PSA_WANT_XXX symbol.
This commit tweaks the location of including config_psa.h
so that macros in build_info.h could imply config options correctly.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-17 13:57:22 +08:00
Minos Galanakis
2056d09893 bignum: Updated documentation for mbedtls_mpi_shift_l()
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-05-16 17:16:26 +01:00
Valerio Setti
3f00b84dd1 pk: fix build issues
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-15 12:57:06 +02:00
Valerio Setti
77a75685ed pk: align library and tests code to the new internal functions
Note = programs are not aligned to this change because:
- the original mbedtls_pk_ec is not ufficially deprecated
- that function is used in tests when ECP_C is defined, so
  the legacy version of that function is available in that
  case

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-15 11:18:46 +02:00
Valerio Setti
229bf1031f pk: make mbedtls_pk_ec internal when !ECP_C
mbedtls_pk_ec() is not an ideal function because:
- it provides direct access to the ecp_keypair structure wrapped
  by the pk_context and
- this bypasses the PK module's control
However, since for backward compatibility, it cannot be deprecated
immediately, 2 alternative internal functions are proposed.
As a consequence:
- when ECP_C is defined, then the legacy mbedtls_pk_ec is available
- when only ECP_LIGHT is defined, but ECP_C is not, then only the
  new internal functions will be available

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-15 11:13:55 +02:00
Fredrik Hesse
cc207bc379 Replace references to Mbed Crypto with Mbed TLS through-out documentation and comments.
Signed-off-by: Fredrik Hesse <fredrik@hesse.se>
2023-05-12 14:59:01 +01:00
Tom Cosgrove
6d62faca8e Only include psa_pake_setup() and friends if some PAKE algorithms are required
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-05-12 12:36:24 +01:00
Andrzej Kurek
199eab97e7 Add partial support for URI SubjectAltNames
Only exact matching without normalization is supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-05-10 09:57:19 -04:00
Yanray Wang
7265bab8ad mbedtls_config.h: remove empty * line before closing */ line
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-10 17:50:58 +08:00
Yanray Wang
d2ae432364 mbedtls_config.h: rewrite comment for AES_ONLY_128_BIT_KEY_LENGTH
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-10 17:49:34 +08:00
Manuel Pégourié-Gonnard
1d046fa0dd
Merge pull request #6010 from mprse/ffdh_import_export
FFDH 1, 2A, 2B: FFDH add support for import/export key, key agreement, key generation + tests
2023-05-10 11:40:54 +02:00
Yanray Wang
ab4fb0d34c aes.h: rewrite comment for aes round key buf
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-10 10:06:14 +08:00
Gilles Peskine
8d42cfddd6
Merge pull request #7539 from gilles-peskine-arm/mbedtls_error_pair_t-smaller
Halve size of mbedtls_error_pair_t
2023-05-09 15:55:51 +02:00
Gilles Peskine
97edeb4fb8
Merge pull request #6866 from mprse/extract-key-ids
Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions v.2
2023-05-08 20:38:29 +02:00
Kusumit Ghoderao
9016bc4ed2 Clean up commented code
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-08 16:04:05 +05:30
Kusumit Ghoderao
3fc4ca7272 Limit max input cost to 32bit
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-08 15:57:41 +05:30
Gilles Peskine
4837e9d1c0 Correct comment about mbedtls error codes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-05-07 20:27:13 +02:00
Pol Henarejos
d06c6fc45b
Merge branch 'development' into sha3
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2023-05-05 16:01:18 +02:00
Valerio Setti
92da2a79aa pk: improve description for the next opaque ID field
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-05 12:31:23 +02:00
Valerio Setti
4f387ef277 pk: use better naming for the new key ID field
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-05 10:59:32 +02:00
Valerio Setti
e00954d0ed pk: store opaque key ID directly in the pk_context structure
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-05 10:57:26 +02:00
Yanray Wang
1ed226f790 Auto-enable CTR_DRBG_USE_128_BIT_KEY with AES_ONLY_128_BIT_KEY_LENGTH
This commit adds support to auto-enable
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if
MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH enabled.
Furthermore, the corresponding check is removed in check_config.h.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 16:23:31 +08:00
Yanray Wang
8b9877bad7 aes.h: add comment for round key buffer in aes context
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 16:17:48 +08:00
Yanray Wang
4a7fdffa5e mbedtls_config.h: paraphrase code size saving in comment
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 16:11:33 +08:00
Yanray Wang
3d4d146f07 mbedtls_config.h: fix issue in grammar
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 15:05:46 +08:00
Yanray Wang
a87046704f Add checks if MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH enabled
This commit adds configuration check in check_config.h if
MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH enabled.
Furthermore, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is disabled
by default in scripts/config.py for full configuration.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 11:21:18 +08:00
Arto Kinnunen
b1c626b5c6 AES: adjust AES RAM usage according to config options
Do not reserve additional space for mbedtls_aes_context if config
option AES_ONLY_128_BIT_KEY_LENGTH is used and PADLOCK_C is not used.
This reduces RAM usage by 96 bytes.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 11:21:13 +08:00
Arto Kinnunen
732ca3221d AES: add macro of MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
Add configuration option to support 128-bit key length only
in AES calculation.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 11:20:38 +08:00
Jethro Beekman
0167244be4 Read and write X25519 and X448 private keys
Signed-off-by: Jethro Beekman <jethro@fortanix.com>
Co-authored-by: Gijs Kwakkel <gijs.kwakkel@fortanix.com>
Signed-off-by: Gijs Kwakkel <gijs.kwakkel@fortanix.com>
2023-05-04 13:01:47 +02:00
Kusumit Ghoderao
b9410e89b4 Fix failing CI
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-04 13:17:51 +05:30
Przemek Stekiel
746dfaea3f Enable FFDH through PSA if it's enabled in the legacy interface
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-05-04 09:14:08 +02:00
Kusumit Ghoderao
dcfa548293 Add pbkdf2 to key_derivation context struct
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-03 14:20:35 +05:30
Kusumit Ghoderao
30ced52497 Add pbkdf2 struct to crypto_builtin_key_derivation.h
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-03 14:20:35 +05:30
Kusumit Ghoderao
876e2c2424 Add psa_pbkdf2_key_derivation_state_t
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-03 14:20:34 +05:30
Kusumit Ghoderao
83baf8968d Add builtin PBKDF2_HMAC definition in config_psa.h
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-03 14:20:34 +05:30
Kusumit Ghoderao
aca31654e6 Enable PSA_WANT_ALG_PBKDF2_HMAC in crypto_config.h
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-05-03 14:20:34 +05:30
Gilles Peskine
b567f8326d Halve size of mbedtls_error_pair_t
All PSA crypto error codes fit comfortably in 16 bits and we have no plans
to ever change this. So use 16 bits to store them, which reduces
mbedtls_error_pair_t from 8 bytes to 4 bytes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-05-02 21:40:07 +02:00
Gilles Peskine
d3ca5e5897
Merge pull request #7328 from mprse/ec-jpake-fix1
Fix the JPAKE driver interface for user+peer
2023-05-02 20:42:25 +02:00
Manuel Pégourié-Gonnard
8e076e4132
Merge pull request #6915 from aditya-deshpande-arm/example-driver-post-codestyle
Document (with examples) how to integrate a third-party driver with Mbed TLS
2023-05-02 12:13:42 +02:00
Manuel Pégourié-Gonnard
f317df98ea
Merge pull request #7461 from valeriosetti/issue7460-part1
Fixing USE_PSA_INIT/DONE in SSL/X509/PK test suites
2023-05-02 10:44:13 +02:00
Aditya Deshpande
f100f00679 Add warnings to documentation stating that p256-m code may be out of date with upstream, plus other minor grammatical fixes.
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-04-28 17:54:15 +01:00
Aditya Deshpande
bac592d53e Remove rand() from p256_generate_random() and move to an implementation based on mbedtls_ctr_drbg
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-04-28 17:54:15 +01:00
Aditya Deshpande
e41f7e457f Integrate p256-m as an example driver alongside Mbed TLS and write documentation for the example.
(Reapplying changes as one commit on top of development post codestyle change instead of rewriting old branch)

Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-04-28 17:54:09 +01:00
Przemek Stekiel
4ce523256b Fix definition of PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE (ECC vs FFDH max)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-28 13:40:34 +02:00
Przemek Stekiel
eb511a4495 Update config files to make PSA FFDH undependent on MBEDTLS_DHM_C
To enable support for FFDH in PSA MBEDTLS_USE_PSA_CRYPTO needs to be enabled.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-28 13:20:16 +02:00
Przemek Stekiel
6d85afa0cc Fix naming: FFDH key -> DH key and fix guard in psa_validate_key_type_and_size_for_key_generation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-28 11:42:17 +02:00
Przemek Stekiel
5357a7a6d9 Use PSA_MAX_OF_THREE in PSA_EXPORT_KEY_PAIR_MAX_SIZE
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-27 11:22:36 +02:00
Dave Rodgman
98062a7c5d
Merge pull request #7316 from yuhaoth/pr/Add-msvc-support-for-aesce-module
Add msvc support for AESCE
2023-04-26 21:27:08 +01:00
David Horstmann
9643575d92 Limit OIDs to 128 components
The longest OID known by oid-info.com is 34 components[1], so 128
should be plenty and will limit the potential for attacks.

[1] http://oid-info.com/get/1.3.6.1.4.1.1248.1.1.2.1.3.21.69.112.115.111.110.32.83.116.121.108.117.115.32.80.114.111.32.52.57.48.48

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-04-26 11:50:14 +01:00
Przemek Stekiel
654bef0be0 Fix typos, comments, style, optimize macros
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-26 09:07:20 +02:00
Przemek Stekiel
87d9a4a30c Provide PSA_WANT_KEY_TYPE_FFDH_PUBLIC_KEY configuration
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-26 09:07:20 +02:00
Przemek Stekiel
ed23b61020 Adapt size macros for FFDH
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-26 09:04:32 +02:00
Przemek Stekiel
84ee3e2921 Adapt config files for FFDH
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-26 09:04:32 +02:00
Jerry Yu
a1a039dba6 Improve minimum compiler versions document
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-04-26 10:21:42 +08:00
Przemek Stekiel
aede2ad554 Optimize code (pake role type, freeing buffers)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-25 14:30:34 +02:00
Przemek Stekiel
6e628a4e7b Add undfined role for ec j-pake
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-25 13:11:36 +02:00
Jerry Yu
f015a93f98 Add msvc version document
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-04-25 10:38:03 +08:00
valerio
cf35d774fe doc: update USE_PSA_CRYPTO description
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-04-24 13:47:18 +02:00
Gilles Peskine
935a987b2b
Merge pull request #7436 from AndrzejKurek/x509-verify-san-ip
x509 SAN IP parsing
2023-04-21 22:00:58 +02:00
Jerry Yu
a7d454cec2 Remove unnecessary check
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-04-20 10:32:38 +08:00
Paul Elliott
4359badbb2
Merge pull request #7331 from mprse/ec-jpake-fix2
PSA PAKE: Check input_length against PSA_PAKE_INPUT_SIZE() in psa_pake_input
2023-04-17 16:31:09 +01:00
Ronald Cron
f54762e498
Merge pull request #7415 from Harshal5/fix/declaration_of_mbedtls_ecdsa_sign_det_restartable_function
ecdsa: fix `-missing-prototypes` warning when `MBEDTLS_ECDSA_SIGN_ALT` is defined
2023-04-17 15:41:25 +02:00
Przemek Stekiel
7921a03425 Add claryfication for PSA_PAKE_INPUT/OUTPUT_MAX_SIZE macros
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-17 12:32:06 +02:00
harshal.patil
8c77644906 ecdsa: fix -missing-prototypes warning when MBEDTLS_ECDSA_SIGN_ALT is defined
- In `mbedtls/v3.4.0`, ECDSA restartable sign and verify functions (`ecdsa.c`) were made public.
- But the `mbedtls_ecdsa_sign_det_restartable` function prototype was declared in the file `ecdsa.h`,
  only when `MBEDTLS_ECDSA_SIGN_ALT` is not defined.

Signed-off-by: harshal.patil <harshal.patil@espressif.com>
2023-04-17 12:53:00 +05:30
Manuel Pégourié-Gonnard
ed5998cd7d
Merge pull request #7422 from valeriosetti/remove-psa-have-full-symbols
Remove PSA_HAVE_FULL_xxx symbols
2023-04-17 09:19:00 +02:00
Stephan Koch
48fba6fbac Fix so that PSA_WANT_ALG_DETERMINISTIC_ECDSA implies PSA_HAVE_FULL_ECDSA.
Signed-off-by: Stephan Koch <koch@oberon.ch>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-14 13:41:10 +02:00
Glenn Strauss
c26bd76020 x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-04-11 08:29:42 -04:00
Valerio Setti
6b006c126b remove KEY_TYPE_ECC_PUBLIC_KEY unnecessary requirement
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 12:02:19 +02:00
Valerio Setti
6c496a1553 solve disparities for ECP_LIGHT between ref/accel
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
151bdf9668 build_info: fixed comment
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
d4a5d461de library: add remaining changes for the new ECP_LIGHT symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
0d2980f117 pk: adapt to new ECP_LIGHT symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
fd122f4e95 ecp: introduce new ECP_LIGHT symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
969e206e28 remove PSA_HAVE_FULL_JPAKE symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 10:55:25 +02:00
Valerio Setti
6f66664ed6 remove PSA_HAVE_FULL_ECDSA symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 10:54:22 +02:00
Valerio Setti
48859cc7d8 remove PSA_HAVE_FULL_ECDH symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 10:50:47 +02:00
Gilles Peskine
7c1c7ce90e
Merge pull request #7401 from AndrzejKurek/md-guards-missing
Add missing md.h includes
2023-04-11 09:32:17 +02:00
Gilles Peskine
c9e8a65d06
Merge pull request #7298 from lpy4105/issue/6840/add-cache-entry-removal-api
ssl_cache: misc improvements
2023-04-11 09:30:40 +02:00
Pengyu Lv
723ac268e7 ssh_cache: Add back description of other errors for cache getter
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-04-11 09:19:08 +08:00
Pengyu Lv
e3746d7ce6 ssl_cache: Error renaming and document improvement
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-04-10 14:40:03 +08:00
Ronald Cron
b828c7d3de Fix, improve and add comments
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:18 +02:00
Ronald Cron
8a12aeec93 tls: Initialize SSL context tls_version in mbedtls_ssl_setup()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:18 +02:00
Przemek Stekiel
21903ec860 Fix after rebase
Handle manually functions that have been moved to different locations.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
8a13866f65 Remove parsing of rfc822Name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
Przemek Stekiel
9a511c5bdf Rename back mbedtls_x509_parse_general_name->mbedtls_x509_parse_subject_alt_name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
toth92g
8d435a0c8b Renaming x509_get_subject_alt_name to x509_get_general_names and mbedtls_x509_parse_subject_alt_name to mbedtls_x509_parse_general_name so they can be used not only to collect subject alt name, but the V3 authority cert issuer that is also GeneralName type.
Also updated the x509_get_general_names function to be able to parse rfc822Names

Test are also updated according these changes.

Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:28 +02:00
toth92g
a41954d0cf Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions. Updating mbedtls_x509_crt_free function to also free the new dynamic elements (issuer field of AuthorityKeyId).
A few tests are also added which test the feature with a correct certificate and multiple ones with erroneous ASN1 tags.

Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:27 +02:00
Andrzej Kurek
1b75e5f784 Add missing md.h includes
MBEDTLS_MD_CAN_SHAXXX are defined there.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-04-04 09:55:06 -04:00
Ronald Cron
219f978097
Merge pull request #7059 from ronald-cron-arm/psa-crypto-misc
PSA cryptography miscellaneous
2023-04-04 10:54:03 +02:00
Manuel Pégourié-Gonnard
86d5d4bf31
Merge pull request #7103 from valeriosetti/issue6622
Some MAX_SIZE macros are too small when PSA ECC is accelerated
2023-04-03 16:23:27 +02:00
Dave Rodgman
dd48c6e3df
Merge pull request #7385 from daverodgman/timing_alignment
Fix cast alignment warning in timing.c
2023-03-31 19:48:34 +01:00
Dave Rodgman
33b2210065 Fix cast alignment warning in timing.c
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 15:50:54 +01:00
Dave Rodgman
b8f5ba826b
Merge pull request #6891 from yuhaoth/pr/add-milliseconds-platform-function
Add milliseconds platform time function
2023-03-31 11:47:37 +01:00
Ronald Cron
789cef87f8 Fix documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:07:57 +02:00
Ronald Cron
135f2ae312 Pacify doxygen.sh
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:07:57 +02:00
Ronald Cron
f6236f032a psa: Introduce psa/build_info.h
The PSA cryptography repository is based to
start with on the PSA cryptography implementation
in Mbed TLS but with a different directority
structure, build system and build configuration.

The build-time configuration information in the
PSA cryptography repository is psa/build_info.h.
This commit introduces this file in Mbed TLS to
be used in place of mbedtls/build_info.h (but
basically just an alias to it) in PSA headers.
This is to ease the update of the PSA cryptography
repository.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:07:57 +02:00
Ronald Cron
e6e6b75ad3 psa: Remove MBEDTLS_PSA_CRYPTO_DRIVERS configuration option
The support for the PSA crypto driver interface
is not optional anymore as the implementation of
the PSA cryptography interface has been restructured
around the PSA crypto driver interface (see
psa-crypto-implementation-structure.md). There is
thus no purpose for the configuration options
MBEDTLS_PSA_CRYPTO_DRIVERS anymore.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:07:54 +02:00
Ronald Cron
2f10fceccd psa: include: Move key derivation builtin and driver contexts
Move key derivation builtin and driver contexts
to specific header files as key derivation
contexts depend both on primitive and composite
crypto algorithms contexts.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:01:45 +02:00
Ronald Cron
e7cde181ea psa: include: Move some Mbed TLS headers
The structures related to CMAC, GCM, CCM and
CHACHAPOLY operations are defined in
crypto_builtin_composites.h not in
crypto_struct.h. Thus move the cmac.h, gcm.h,
ccm.h and chachapoly.h header inclusions from
crypto_struct.h to crypto_builtin_composites.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:01:45 +02:00
Ronald Cron
fe8e135816 psa: Remove unnecessary headers
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-03-31 09:01:45 +02:00
Paul Elliott
03d557db35
Merge pull request #6900 from AndrzejKurek/san-dirname
Add support for directoryName subjectAltName
2023-03-30 18:37:26 +01:00
Manuel Pégourié-Gonnard
0ab380a8ae
Merge pull request #7354 from mpg/ecc-doc-update
Ecc doc update
2023-03-30 15:38:47 +02:00
Manuel Pégourié-Gonnard
9463e780c6 Fix a typo
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-30 09:37:39 +02:00
Manuel Pégourié-Gonnard
59b61da7c4 Fix dependency check for TLS 1.3 ECDH
This part is specific to 1.3 and directly calls PSA APIs regardless of
whether MBEDTLS_USE_PSA_CRYPTO is defined, so use PSA_WANT. Note: the
code is already using PSA_WANT everywhere in ssl_tls13*.c.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-30 09:35:41 +02:00
Andrzej Kurek
c27ba3a531 Clarify SAN structure memory management
Co-authored-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:41:34 -04:00
Andrzej Kurek
8bc128eca7 Add missing information about supported subjectAltName types
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:40:38 -04:00
Andrzej Kurek
5f0c6e82fb Add missing deallocation of subject alt name
Since mbedtls_x509_get_name allocates memory
when parsing a directoryName, deallocation
has to be performed if anything fails in the
meantime.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:40:38 -04:00
Andrzej Kurek
d40c2b65a6 Introduce proper memory management for SANs
DirectoryName parsing performs allocation that has to be handled.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:03:01 -04:00
Andrzej Kurek
e12b01d31b Add support for directoryName subjectAltName
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-29 11:03:01 -04:00
Dave Rodgman
05c5a91514
Merge pull request #7307 from Mbed-TLS/sphinx-versioned-documentation
Generate API documentation with Sphinx and Breathe
2023-03-29 12:01:59 +01:00
Manuel Pégourié-Gonnard
4fa702ae79 Update documented dependencies on ECC algs
Previous PRs update check_config.h correctly, but forgot the
documentation in mbedtls_config.h.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-29 12:19:41 +02:00
Manuel Pégourié-Gonnard
93b21e74f9 Update documentation to mention ECC drivers
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-29 10:30:26 +02:00
Valerio Setti
ee9fa46111 check_config: add helper symbol for SECP256R1
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-29 10:28:39 +02:00
Valerio Setti
1a6d96f59e test: use full config as test starting point and solve issues
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-29 10:28:06 +02:00
Valerio Setti
271c12e256 psa: use only PSA_WANT symbols for PSA_VENDOR_ECC_MAX_CURVE_BITS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-29 10:27:18 +02:00
Valerio Setti
8f1e98a971 psa: set PSA_VENDOR_ECC_MAX_CURVE_BITS based on both SW and accelerated support
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-29 10:27:18 +02:00
Valerio Setti
77a904c761 ssl: remove useless guard
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-28 16:26:48 +02:00
Valerio Setti
1fa5c56863 ssl_tls: fix guard symbols for EC accelerated tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-28 16:26:47 +02:00
Paul Elliott
69034388e9 Fix conflict between restricted and development
MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA was removed in
development and replaced with MBEDTLS_MD_CAN_SHA384.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-27 21:24:45 +01:00
Paul Elliott
d01a3bca05 Merge tag 'v3.4.0' into mbedtls-3.4.0_mergeback
Mbed TLS 3.4.0
2023-03-27 18:09:49 +01:00
Valerio Setti
ab9dc667ff psa_util: fix for correctly computing elements in array
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-27 11:25:10 -04:00
Pengyu Lv
4e70724396 ssl_cache: Add descriptions of returns of cache accessors
Add descriptions of the return values of mbedtls_ssl_cache_get
and mbedtls_ssl_cache_set.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-03-27 11:29:49 +08:00
Manuel Pégourié-Gonnard
2ca08c8409 Try again to clarify USE_PSA_CRYPTO
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:44:59 +01:00
Manuel Pégourié-Gonnard
a22857b710 Fix documented dependencies on TLS 1.2
The check in check_config.h was fixed in a previous PR, but the
documentation hadn't been updated accordingly.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:44:59 +01:00
Manuel Pégourié-Gonnard
70a1b6d828 Fix typos
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
5a51d0d789 Fix depends.py failure with correct TLS 1.2 deps
TLS 1.2 has never been able to work with only SHA-512, it just happened
to pass previously because the declared dependencies were too lax.
(Probably related to the fact that in the past we didn't distinguish
between SHA-512 and SHA-384 in dependencies.)

So, just disable all of TLS in SHA-512-only builds. While at it, tune
build_info.h to make this easier - it already had partial support for
disabling TLS 1.2 or TLS 1.3 in an easier way, but not both of them at
the same time.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
a31ddb98dc Fix and simplify TLS hash dependency declarations
Fixes #6441

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
bb21c5afa7 Use helper macros for hashes in check_config.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
93302422fd Fix instances of old feature macros being used
sed -i -f md.sed include/mbedtls/ssl.h library/hmac_drbg.c programs/pkey/*.c programs/x509/*.c tests/scripts/generate_pkcs7_tests.py tests/suites/test_suite_random.data

Then manually revert programs/pkey/ecdsa.c as it's using a low-level
hash API.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
4011eb49dc Fix entropy-related feature macros
Was causing testing disparities picked by analyze_outcomes.py

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
5cd4b6403b Use MD-light in entropy.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Przemek Stekiel
b175b146a2 Remove driver_pake_get_role function
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-23 13:37:18 +01:00
Przemek Stekiel
e80ec0a9af Adapt J-PAKE built-in impl to use user/peer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-23 13:37:12 +01:00
Paul Elliott
db67e99bbf Bump library, libcrypto and libx509 versions
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-23 10:57:39 +00:00
Pengyu Lv
5038a38695 ssl_cache: Return standard mbedtls error code
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-03-23 15:53:43 +08:00
Przemek Stekiel
656b2595fb psa_pake_input: validate buffer size using PSA_PAKE_INPUT_SIZE
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-23 08:05:52 +01:00
Pengyu Lv
cdf06f69dd Improve function return value description
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-03-23 11:15:24 +08:00
Valerio Setti
080a22ba75 ssl_tls13: use PSA_WANT_ALG_ECDH as symbol for marking ECDH capability
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-22 10:48:34 +01:00
Valerio Setti
4059aba353 accelerated ecdh: re-enable TLS 1.3 key exchanges and fix guards in check_config
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-22 10:48:34 +01:00
Valerio Setti
ccf0be28e8 fix typo
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-22 10:40:05 +01:00
Valerio Setti
da8535b74e ecdh: simplify guards for the newly created PSA_HAVE_FULL_ECDH symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-22 10:40:05 +01:00
Valerio Setti
d3f0b9e78c ecdhe: fix guards for accelerated ECDHE key exchanges
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-22 10:36:59 +01:00
Przemek Stekiel
1f778bcfd8 EC-JPAKE: remove limitation for user/peer (alow any value)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-22 09:52:08 +01:00
Paul Elliott
f1eb5e2a04 Merge branch 'development-restricted' into mbedtls-3.4.0rc0-pr
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-21 15:35:17 +00:00
Manuel Pégourié-Gonnard
161dca63c3 Fix typos & improve wording in comments
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:29:31 +01:00
Manuel Pégourié-Gonnard
7224086ebc Remove legacy_or_psa.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:29:31 +01:00
Manuel Pégourié-Gonnard
a946489efd X.509: use MD_CAN macros
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
49e67f814f PKCS5: always use MD
As a consequence, MD_C is now enabled in component accel_hash_use_psa.

Fix guards in X.509 info function to avoid this causing a failure now.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
fb8d90a2db RSA: always use MD light
Note: already auto-enabled in build_info.h

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
1c2008fa37 PEM: always use MD light
Note: PEM_PARSE already auto-enables MD_LIGHT in build_info.h

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
be97afe5d4 PKCS12: always use MD light
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
41bc8b6b1e ECJPAKE: always use MD light
This enables access to all available hashes, instead of the previous
situation where you had to choose by including MD_C or not.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
235a933f99 PSA hash algs must be a superset of built-ins
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
534d64d67e MD no longer depends on a built-in hash
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
e0e161b54a
Merge pull request #7296 from valeriosetti/issue7253-part1
driver-only ECDH: enable ECDH-based TLS 1.2 key exchanges -- part 1
2023-03-21 16:09:02 +01:00
Dave Rodgman
3543806026
Merge pull request #7190 from yanrayw/6197_rsa_get_padding_hashID
RSA: provide interface to retrieve padding mode and hash_id
2023-03-20 18:34:53 +00:00
Dave Rodgman
97fd217748
Merge pull request #7318 from tom-cosgrove-arm/update-mbedtls_have_asm-requirements-in-mbedtls_config.h
Note that MBEDTLS_HAVE_ASM is required by MBEDTLS_AESCE_C
2023-03-20 18:22:25 +00:00
Dave Rodgman
d3b6e92967
Merge pull request #997 from gilles-peskine-arm/aesni-intrinsics
Implement AESNI with intrinsics
2023-03-20 18:20:51 +00:00
Tom Cosgrove
f586aa2af2 Note that MBEDTLS_HAVE_ASM is required by MBEDTLS_AESCE_C
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-20 14:45:27 +00:00
Valerio Setti
5d1f29e700 ssl_tls: fix guards for accelerated ECDH
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-20 14:02:07 +01:00
Manuel Pégourié-Gonnard
4ebe2a7372
Merge pull request #7300 from valeriosetti/issue7281
Driver only EC JPAKE: re-enable the EC J-PAKE key exchange and get test parity
2023-03-20 09:54:47 +01:00
Manuel Pégourié-Gonnard
14c194aae9
Merge pull request #7271 from mpg/use-md-light
Use md light
2023-03-20 09:01:16 +01:00
Dave Rodgman
f918d42332 Tidy up ARMCE terminology
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-17 17:52:23 +00:00
Yanray Wang
d41684e8bc rsa.c: rename getter function of hash_id
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-17 18:57:42 +08:00
Dave Rodgman
0e2b06a1ce
Merge pull request #7083 from KloolK/record-size-limit/parsing
Add parsing for Record Size Limit extension in TLS 1.3
2023-03-17 10:18:34 +00:00
Paul Elliott
9f02a4177b
Merge pull request #7009 from mprse/csr_write_san
Added ability to include the SubjectAltName extension to a CSR - v.2
2023-03-17 10:07:27 +00:00
Manuel Pégourié-Gonnard
b33ef74d44 Use MD_LIGHT, not sha1.h, in RSA selftest
Same note as previous commit regarding guards.

Note that we could auto-enable MD_LIGHT only when SELF_TEST is defined,
and even only when SHA1_C is defined too, but somewhere down the line
we'll want to auto-enable it for the sake of other RSA function (not in
selftest and could use any hash), so there's little point in optimizing
the temporary condition, let's use the simple one upfront.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-17 09:43:28 +01:00
Manuel Pégourié-Gonnard
8316209c02 Use MD_LIGHT rather than md5.h in pem.c
But, for now, still guard things with MBEDTLS_MD5_C, as md.c can only
compute MD5 hashes when MBEDTLS_MD5_C is defined. We'll change the
guards once that has changed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-17 09:43:27 +01:00
David Horstmann
d855b4680d Add space to appease doxygen bug
See doxygen/doxygen#8706

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-03-16 18:00:36 +00:00
Gilles Peskine
0bfccfa537 Document the new state of AESNI support
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-16 17:49:44 +01:00
Gilles Peskine
dd6021caf1 Remove the dependency of MBEDTLS_AESNI_C on MBEDTLS_HAVE_ASM
AESNI can now be implemented with intrinsics.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-16 16:51:40 +01:00
Manuel Pégourié-Gonnard
9d698df4f4 Further clarify a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:48:20 +01:00
Manuel Pégourié-Gonnard
a9ab4a2d60 Clarify a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:48:20 +01:00
Manuel Pégourié-Gonnard
39a376a417 Finish removing HMAC from MD-light
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:46:51 +01:00
Manuel Pégourié-Gonnard
9b14639342 Dispatch according to init status.
We shouldn't dispatch to PSA when drivers have not been initialized yet.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:46:51 +01:00
Manuel Pégourié-Gonnard
d8ea37f1a3 Add engine field to context structure
For multi-part operations, we want to make the decision to use PSA or
not only once, during setup(), and remember it afterwards. This supports
the introduction, in the next few commits, of a dynamic component to
that decision: has the PSA driver sub-system been initialized yet?

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:46:50 +01:00
Gilles Peskine
83d9e09b15 Switch metadata functions to the PSA-aware availability symbols
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:46:50 +01:00
Gilles Peskine
416d0e2b01 Introduce preprocessor symbols for MD algorithm support via PSA
These new symbols will allow code to call the md module and benefit from PSA
accelerator drivers. Code must use MBEDTLS_MD_CAN_xxx instead of
MBEDTLS_xxx_C to check for support for a particular algorithm.

This commit only defines the symbols. Subsequent commits will implement
those symbols in the md module, and in users of the md module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-16 09:46:50 +01:00
Valerio Setti
82b484ecbc ecjpake: fix guards for driver only builds
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-16 08:21:44 +01:00
Pengyu Lv
b1895899f1 ssl_cache: Improve some comments
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-03-16 14:33:28 +08:00
Gilles Peskine
2a44ac245f
Merge pull request #7217 from lpy4105/issue/6840/add-cache-entry-removal-api
ssl_cache: Add cache entry removal api
2023-03-15 15:38:06 +01:00
Jan Bruckner
a0589e75a0 Changes from review
Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-15 11:04:45 +01:00
Dave Rodgman
b599562033
Merge pull request #7240 from tom-cosgrove-arm/fix-issue-7234
Don't insist on MBEDTLS_HAVE_ASM for MBEDTLS_AESCE_C on non-Arm64 systems
2023-03-15 09:04:44 +00:00
Yanray Wang
83548b5c10 fix inappropriate description for function in RSA
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-15 16:49:52 +08:00
Yanray Wang
12cb39661c rsa.c: provide interface to get hash_id of RSA context
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-15 16:42:48 +08:00
Yanray Wang
a730df6f86 rsa.c: provide interface to get padding mode of RSA context
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-15 16:42:26 +08:00
Manuel Pégourié-Gonnard
18336dace2
Merge pull request #7196 from mprse/ecjpake-driver-dispatch-peer-user
EC J-PAKE: partial fix for role vs user+peer
2023-03-15 09:37:30 +01:00
Pengyu Lv
0b9c012f21 ssl_cache: return the error code for mutex failure
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-03-15 14:37:32 +08:00
Dave Rodgman
023c8853ac
Merge pull request #7203 from yuhaoth/pr/add-cpu-modifier-for-aesce
Add CPU modifier for AESCE
2023-03-14 15:58:57 +00:00
Przemek Stekiel
c0e6250ff9 Fix documentation and tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-14 11:49:36 +01:00
Jan Bruckner
151f64283f Add parsing for Record Size Limit extension in TLS 1.3
Fixes #7007

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-14 08:41:25 +01:00
Dave Rodgman
cdaaef52f4
Update include/mbedtls/pkcs7.h
Co-authored-by: Xiaokang Qian <53458466+xkqian@users.noreply.github.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-14 07:13:50 +00:00
Dave Rodgman
bcc92d4f03
Update include/mbedtls/pkcs7.h
Co-authored-by: Xiaokang Qian <53458466+xkqian@users.noreply.github.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-14 07:13:44 +00:00
Jerry Yu
fbf9523449 Revert "Add experimental warning"
This reverts commit be510fe470.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-03-14 10:33:32 +08:00
Paul Elliott
e4622a3436 Merge remote-tracking branch 'development/development' into development-restricted
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-13 17:49:32 +00:00
Przemek Stekiel
fde112830f Code optimizations and documentation fixes
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-13 16:28:27 +01:00
Dave Rodgman
efbc5f7322 Update wording in comments
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-13 12:15:49 +00:00
Jerry Yu
be510fe470 Add experimental warning
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-03-13 11:26:35 +08:00
Jerry Yu
be78386681 Remove documents about command line options.
After this PR, the issue has been fixed.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-03-13 10:58:41 +08:00
Przemek Stekiel
18cd6c908c Use local macros for j-pake slient/server strings
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-12 16:59:28 +01:00
Przemek Stekiel
d7f6ad7bc8 Minor fixes (comments, cleanup)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-12 16:59:28 +01:00
Dave Rodgman
25b2dfa6da Fix comment typo
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-12 08:50:58 +00:00
Dave Rodgman
957cc36be9 Improve wording; use PKCS #7 not PKCS7
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-12 08:50:58 +00:00
Dave Rodgman
3fe2abf306 Apply suggestions from code review
Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-12 08:50:58 +00:00
Dave Rodgman
7c33b0cac6 Remove pre-production warnings
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-12 08:50:58 +00:00
Manuel Pégourié-Gonnard
439dbc5c60 Fix dependency for TLS 1.3 as well
Turns out TLS 1.3 is using the PK layer for signature generation &
verification, and the PK layer is influenced by USE_PSA_CRYPTO.

Also update docs/use-psa-crypto.md accordingly.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-10 12:37:15 +01:00
Manuel Pégourié-Gonnard
45bcb6aac8 Fix dependencies of 1.2 ECDSA key exchanges
Having ECDSA in PSA doesn't help if we're not using PSA from TLS 1.2...

Also, move the definition of PSA_HAVE_FULL_ECDSA outside the
MBEDTLS_PSA_CRYPTO_CONFIG guards so that it is available in all cases.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-10 12:37:15 +01:00
Przemek Stekiel
e9254a0e55 Adapt driver dispatch documentation for user/peer getters
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-10 09:18:03 +01:00
Przemek Stekiel
1e7a927118 Add input getters for jpake user and peer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-10 09:18:03 +01:00
Przemek Stekiel
26c909d587 Enable support for user/peer for JPAKE
This is only partial support. Only 'client' and 'server' values are accepted for peer and user.
Remove support for role.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-10 09:18:02 +01:00
Gilles Peskine
4da92832b0
Merge pull request #7117 from valeriosetti/issue6862
driver-only ECDSA: enable ECDSA-based TLS 1.2 key exchanges
2023-03-09 20:49:44 +01:00
Dave Rodgman
bf4016e5d5
Merge pull request #6567 from mprse/ecjpake-driver-dispatch 2023-03-09 19:23:05 +00:00
Tom Cosgrove
94e841290d Don't check prerequisites for MBEDTLS_AESCE_C if we won't use it
Fixes #7234

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-09 17:17:42 +00:00
Przemek Stekiel
b8eaf635ba Remove MBEDTLS_SHA256_C from PSA_WANT_ALG_JPAKE config and adapt test dependencies
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-09 12:14:26 +01:00
Dave Rodgman
5e5aa4a4e6
Merge pull request #7218 from tom-cosgrove-arm/fix-typos-230307
Fix typos in development prior to release
2023-03-08 17:19:59 +00:00
Valerio Setti
1470ce3eba fix typos
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-08 16:50:12 +01:00
Valerio Setti
30c4618970 Add new PSA_HAS_FULL_ECDSA macro for easily signal that PSA has full ECDSA support
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-08 16:47:28 +01:00
Gilles Peskine
ed7b5978cd
Merge pull request #6172 from gilles-peskine-arm/doc-tls13-psa_crypto_init
Document the need to call psa_crypto_init for TLS 1.3
2023-03-07 20:13:53 +01:00
Gilles Peskine
a2fc399f57
Merge pull request #6829 from AndrzejKurek/unify-psa-errors
Unify PSA to Mbed TLS error translation
2023-03-07 19:55:44 +01:00
Tom Cosgrove
5c8505f061 Fix typos
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-07 11:39:52 +00:00